DaaS / Products / Application with Transactional DB and Search Backend

Application with Transactional DB and Search Backend

A developer building an application (e.g., e-commerce or content platform) uses RDS as the primary transactional database and OpenSearch as the search/analytics engine, and needs to configure access control and credentials for both services as part of the same infrastructure setup.

Products involved

Scenario

Developers building e-commerce or content platforms use ApsaraDB RDS for ACID-compliant transactional workloads and Alibaba Cloud OpenSearch for low-latency full-text search and analytics. This guide shows how to provision and secure access credentials for both services within a single VPC-bound infrastructure setup, ensuring least-privilege access and unified credential management.

Integration steps

Create RDS Application Account: Provision a dedicated database account with read/write privileges for your transactional schema.

   aliyun rds CreateAccount --DBInstanceId rm-uf6wjk5xxxxxx --AccountName app_rw --AccountPassword 'SecurePass123!' --AccountType Normal
   aliyun rds GrantAccountPrivilege --DBInstanceId rm-uf6wjk5xxxxxx --AccountName app_rw --DBName ecommerce_db --AccountPrivilege ReadWrite

Configure RAM User for OpenSearch: Create a RAM user with scoped OpenSearch permissions instead of using root credentials.

   aliyun ram CreateUser --UserName opensearch-app
   aliyun ram AttachPolicyToUser --PolicyName AliyunOpenSearchReadOnlyAccess --UserName opensearch-app

Generate OpenSearch API Key: Bind a programmatic API key to your OpenSearch instance for application-level authentication.

   curl -X POST "https://opensearch.cn-hangzhou.aliyuncs.com/v4/openapi/instances/os-xxxxx/api-keys" \
     -H "Authorization: Bearer <STS_TOKEN>" \
     -d '{"name": "app-search-key", "description": "App search access", "permissions": ["read", "write"]}'

Enforce VPC & Whitelist Alignment: Ensure both instances share the same VPC/vSwitch. Add your application’s security group ID to the RDS SecurityIPList and OpenSearch NetworkConfig.
Inject Credentials into Runtime: Store the RDS password in Alibaba Cloud KMS and pass the OpenSearch API key via environment variables (OPENSEARCH_API_KEY). Configure your ORM and search client to use these values at startup.

Architecture

RDS acts as the authoritative system of record, handling synchronous CRUD operations and enforcing relational constraints. Application writes trigger asynchronous data synchronization (via Alibaba Cloud DTS or application-level CDC) into OpenSearch indices. OpenSearch handles high-concurrency search queries, aggregations, and analytics, returning results to the application without impacting RDS transactional throughput.

Prerequisites

Active Alibaba Cloud account with billing enabled
Provisioned ApsaraDB RDS instance and OpenSearch instance in the same region
Shared VPC and vSwitch for both services
RAM user with AliyunRDSFullAccess and AliyunOpenSearchFullAccess policies
Alibaba Cloud CLI configured (aliyun configure)

Common pitfalls

VPC/Security Group Mismatch: Failing to whitelist the app’s security group on both RDS and OpenSearch causes ConnectionRefused or Timeout errors.
Over-Scoped RAM Policies: Attaching AliyunOpenSearchFullAccess instead of a least-privilege policy exposes cluster management endpoints to the application runtime.
Credential Rotation Gaps: Hardcoding RDS passwords or OpenSearch API keys breaks deployments when secrets expire; always integrate with KMS or Secrets Manager.
Sync Latency Misalignment: Assuming real-time consistency between RDS and OpenSearch leads to stale search results; implement retry logic or read-after-write routing for critical flows.

Typical questions

set up RDS and OpenSearch for my app
configure database and search access control
application backend with RDS and OpenSearch
为应用配置RDS和OpenSearch访问权限
manage RDS accounts and OpenSearch API keys
RDS OpenSearch 应用后端搭建
grant RAM user access to RDS and OpenSearch
搭建带搜索功能的数据库应用

FAQ

Q: How do I provision and integrate RDS and OpenSearch for an application backend? A: You can provision and integrate both services by deploying them within a shared VPC and injecting their respective credentials into your application runtime. RDS handles synchronous transactional workloads while asynchronously syncing data to OpenSearch for low-latency search and analytics.

Q: How do I configure access control and network security for RDS and OpenSearch? A: Configure access control by creating scoped RAM users with least-privilege policies and adding your application’s security group ID to both the RDS SecurityIPList and OpenSearch NetworkConfig. This alignment prevents connection timeouts and avoids exposing cluster management endpoints to the application runtime.

Q: How do I create and securely manage RDS accounts and OpenSearch API keys? A: Create a dedicated RDS account with read/write privileges and generate a scoped OpenSearch API key for programmatic application authentication. Secure these credentials by storing the RDS password in Alibaba Cloud KMS and passing the OpenSearch API key via environment variables instead of hardcoding them.